I am looking for a tool that will go through my coldfusion code and add cfqueryparam's where needed. I found many that will scan and show me where I need to make changes but I found one at http://www.webapper.com/blog/index.php/2008/7/22/ColdFusion-SQL-Injection which is pretty close to what I was looking for. But it doesn't add the cfsqltype (or maxlength) and I was wondering if this still prevents sql injection without cfsqltype? And if it is required (I know it is technically optional) do you know of another tool that will do this? I also read that it is also important to make sure that any variables in the order by clause are parameterized also, which this tool doesn't check for.
I am thinking of buckling down and changing the code from http://www.webapper.com/blog/index.php/2008/7/22/ColdFusion-SQL-Injection to do all this, but I thought it would be wise to ask first.
From what I have read, the tools may be inaccurate. I would suggest buckling down and doing the hard work instead.
Do an extended search in your text editor for <cfquery. Proceed systematically per directory. Make a record of the files found and the relevant line numbers.
Then go through the list, one by one, adding the cfqueryparam tags where necessary. In the end you will be confident that your code has mitigated the security risks the way you want.
I have to agree with BKBK. It may be a pain, esp if you have hundreds of files that contain queries. But it's the best way to make sure you've got all of them covered, and you don't have to risk some third-party tool screwing up your code. It can happen.